Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

ISO/IEC 27001

ISO/IEC 27001 is the leading international standard for an information security management system, used to manage information security risk systematically.

CASRAI research-methods explainer — ISO/IEC 27001

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What an ISMS protects

An information security management system is the framework of policies, processes and controls by which an organisation manages information security risk. ISO/IEC 27001 frames security around three properties: confidentiality (information is accessible only to those authorised), integrity (information is accurate and complete) and availability (information is accessible when needed). The standard requires the organisation to understand its context, define the scope of the ISMS, secure leadership commitment, assess risks to information, and treat those risks with appropriate controls. Crucially, it is risk-driven: the controls an organisation implements follow from the risks it identifies.

Annex A and the controls

ISO/IEC 27001 includes Annex A, a reference set of information security controls that an organisation considers when treating its risks. In the 2022 revision, Annex A was restructured into 93 controls across four themes — organisational, people, physical and technological — replacing the previous fourteen control domains. Organisations document which controls apply in a Statement of Applicability, justifying inclusions and exclusions against their risk assessment. The detailed implementation guidance for these controls lives in the companion standard ISO/IEC 27002. Annex A is a menu informed by risk, not a mandatory checklist to implement in full.

Certification and the 2022 revision

Organisations are certified to ISO/IEC 27001 by accredited certification bodies following an audit of the ISMS, with periodic surveillance and recertification. The 2022 revision updated both the management-system clauses and Annex A, introducing new controls covering areas such as threat intelligence, cloud services, data leakage prevention and secure coding. Certification is widely sought because customers, regulators and partners increasingly require demonstrable information security, and because a single recognised certificate can satisfy many such demands at once. As with other management-system standards, conformity must be maintained through continual improvement.

Key facts

At a glance

  • Definition: requirements for an information security management system (ISMS)
  • Current version: ISO/IEC 27001:2022
  • Protects: confidentiality, integrity and availability of information
  • Annex A: 93 controls in four themes (2022 restructure)
  • Companion: ISO/IEC 27002 gives control implementation guidance
  • Certifiable: yes, by independent third-party audit

Common misconceptions

What people often get wrong

Often heard: ISO/IEC 27001 requires you to implement every Annex A control.

Actually: Annex A is a reference set, not a mandatory checklist. Organisations select controls based on their risk assessment and document the choices in a Statement of Applicability, justifying any exclusions. The driver is risk, not a fixed list.

Often heard: ISO/IEC 27001 is only about IT and technology.

Actually: ISO/IEC 27001 covers information security broadly — organisational, people and physical controls as well as technological ones. It addresses staff, suppliers, physical access and processes, not just IT systems.

Often heard: Getting ISO/IEC 27001 certified means you cannot be breached.

Actually: Certification means information security risk is managed systematically and continually improved; it does not guarantee immunity from incidents. The standard is about reducing and managing risk, including how the organisation detects and responds to events.

Going deeper

Related CASRAI guidance

ISO 9001ISO 14001Internal auditISO/IEC 42001 (AI)Standards dictionaryPlain-language explainers
LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →